• Stars
    star
    602
  • Rank 74,409 (Top 2 %)
  • Language
  • Created almost 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot

Super UEFIinSecureBoot Disk

Super UEFIinSecureBoot Disk is a proof-of-concept (not actively maintained or enhanced) bootable image with GRUB2 bootloader designed to be used as a base for recovery USB flash drives.

Key feature: disk is fully functional with UEFI Secure Boot mode activated. It can launch any operating system or .efi file, even with untrusted, invalid or missing signature.

Features:

  • GRUB2 Bootloader
  • 32-bit (ia32) / 64-bit (x86_64) UEFI (+ Secure Boot) support
  • BIOS / UEFI CSM support
  • Launch any operating system
  • Launch any .efi executable from GRUB2
  • Launch any .efi executable from another .efi application
  • Load any UEFI drivers

Based on:

Description

Secure Boot is a feature of UEFI firmware which is designed to secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature.

Most of modern computers come with Secure Boot enabled by default, which is a requirement for Windows 10 certification process. Although it could be disabled on all typical motherboards in UEFI setup menu, sometimes it's not easily possible e.g. due to UEFI setup password in a corporate laptop which the user don't know.

This disk, after being installed on a USB flash drive and booted from, effectively disables Secure Boot protection features and temporary allows to perform almost all actions with the PC as if Secure Boot is disabled. This could be useful for data recovery, OS re-installation, or just for booting from USB without thinking about additional steps.

Installation

Download image file from releases page, write it to USB flash using one of the following programs:

WARNING: all your USB flash data will be deleted.

The image contains single FAT32 500MiB partition. Use gparted or similar tool to resize it to get full USB drive space.

Usage

First boot on a PC with Secure Boot will show Access Violation message box. Press OK and choose "Enroll cert from file" menu option. Select ENROLL_THIS_KEY_IN_MOKMANAGER.cer and confirm certificate enrolling.

Computers without Secure Boot will boot to GRUB without manual intervention.

FAQ

  • Does this disk work in Secure Boot?
    Yes, it does. It loads any unsigned or untrusted Linux kernel or .efi file or driver, after first-boot manual key enrolling using MokManager software. You don't need to disable Secure Boot to perform fist-boot key enrolling.

  • Does this disk work on UEFI-based computers without Secure Boot, or with Secure Boot disabled?
    Yes, it would work like a stock GRUB2.

  • Does this disk work on older computers with BIOS?
    Yes, it works just as any other GRUB2 bootloader.

  • Can this disk be used to bypass Secure Boot in UEFI bootkit/virus?
    No, not really. This disk requires manual intervention of a physical user on first boot, which eliminates bootkit purpose to be stealth.

  • Can I replace GRUB with another EFI bootloader (rEFInd, syslinux, systemd-boot)?
    Yes, replace grubx64_real.efi/grubia32_real.efi with your files. The bootloader does not require to be signed and should also start any .efi files thanks for Security Policy installed by grubx64.efi/grubia32.efi (PreLoader), just as GRUB2 included in disk.

Technical information

UEFI boot process of this disk is performed in 3 stages.

bootx64.efi (shim) → grubx64.efi (preloader) → grubx64_real.efi (grub2) → EFI file/OS

Stage 1: motherboard loads shim. Shim is a special loader which just loads next executable, grubx64.efi (preloader) in our case. Shim is signed with Microsoft key, which allows it to be launched in Secure Boot mode on all stock PC motherboards.
Shim contains embedded Fedora certificate (because it's extracted from Fedora repository). If Secure Boot is enabled, since grubx64.efi is not signed with embedded Fedora certificate, shim boots another executable, MokManager.efi, which is a special shim key management software. MokManager asks user to proceed with key or hash enrolling process.
Newer versions of shim install hooks for UEFI LoadImage, StartImage, ExitBootServices and Exit functions to "Harden against non-participating bootloaders", which should be bypassed for this disk use-case. Fedora's shim does not install custom UEFI security policies, that's why it's not possible to load self-signed efi files from second stage bootloader, even if you add their hashes or certificates using MokManager.

Stage 2: preloader is a software similar to shim. It also performs executable validation and loads next efi file. Preloader included in this disk is a stripped down version which performs only one function: install allow-all UEFI security policy. This permits loading of arbitrary efi executables with LoadImage/StartImage UEFI functions even outside GRUB (for example, in UEFI Shell), and bypasses shim hardening.

Stage 3: GRUB2 is a well-known universal bootloader. It has been patched to load Linux kernel without additional vertification (linux/linuxefi commands), load .efi binaries into memory and jump into its entry point (chainloader command), and to mimic "participating bootloader" for shim.

Additional information

Read my article on this topic: Exploiting signed bootloaders to circumvent UEFI Secure Boot (also available in Russian)

Notes

Super UEFIinSecureBoot Disk GRUB2 sets suisbd=1 variable. It could be used to detect disk's patched GRUB2 in a grub.conf shared between multiple bootloaders.

Since version 3, GRUB uses stock UEFI .efi file loader, as there are some problems with internal loader implementation. To use internal loader, add set efi_internal_loader=1 into GRUB configuration file. Both methods can load untrusted .efi files.

More Repositories

1

GoodbyeDPI

GoodbyeDPI — Deep Packet Inspection circumvention utility (for Windows)
C
9,201
star
2

blockcheck

Russian ISP blocking type checker NOTE: NOT WORKING CURRENTLY. ВНИМАНИЕ: НЕ РАБОТАЕТ НА ТЕКУЩИЙ МОМЕНТ
Python
1,315
star
3

windows2usb

Windows 7/8/8.1/10/11 ISO to Flash Drive burning utility for Linux (MBR/GPT, BIOS/UEFI, FAT32/NTFS)
Shell
585
star
4

tor-relay-scanner

Tor Relay availability checker, for using it as a bridge in countries with censorship
Python
215
star
5

p0f-mtu

p0f with patches to save MTU value and export it via API (for VPN detection)
C
213
star
6

aceproxy

Ace Stream HTTP Proxy. ABANDONED! NO SUPPORT WHATSOEVER!
Python
194
star
7

openvpn-fix-dns-leak-plugin

OpenVPN plugin to fix Windows DNS Leaks
C
161
star
8

nat-traversal-github-actions-openvpn-wireguard

OpenVPN and WireGuard server on GitHub Actions: representative NAT traversal case
Shell
159
star
9

skype-poll-fix

Reduce Skype CPU load on Linux and Mac OS
C
136
star
10

billgates-botnet-tracker

Some tools to monitor BillGates CnC servers
Python
134
star
11

p0f-mtu-script

WITCH?(VPN detector) source code
PHP
108
star
12

huawei_oled_hijack

Advanced on-screen menu for Huawei E5372, E5577, E5377, E5770, E5885 (and probably others) portable LTE routers
C
93
star
13

endless-sosuch

Endless WebM player from 2ch.hk
Python
65
star
14

thinkpad-shahash

Script to recompute SHA1 hashes for Lenovo ThinkPad Sandy Bridge laptops to get rid of 5 beeps on boot
Python
57
star
15

distvidc

Distributed video encoding
Python
49
star
16

openvpn-radiusplugin

Radiusplugin with various patches and fixes
C
36
star
17

binary_bios_measurements_parser

Linux TPM Trusted Boot binary_bios_measurements file parser/reconstructor
Python
21
star
18

openvpn-block-incoming-udp-plugin

OpenVPN plugin to prevent IP leak via UDP requests
C
20
star
19

sophos-deobfuscation-tool

Sophos Deobfuscation Tool. Deobfuscates passwords obfuscated with Sophos Obfuscation Tool.
C
14
star
20

openvpn-tunpipe

OpenVPN with ocproxy/tunsocks VPN-to-proxy ("socks2tun") support Proof-of-concept
C
13
star
21

terestun

TereStun — STUN over Teredo
Python
11
star
22

tb-tun

TB-TUN is an tiny userspace program to build 6to4/tunnelbroker/ISATAP tunnel for Linux
10
star
23

responder-brute

Brute NTLM hashes captured by Responder with hashcat or john
Python
7
star
24

tor-onionoo-mirror

Tor metrics/onionoo mirror
5
star
25

cisco-unified-cm-decryptor

Decrypts encrypted passwords stored in Cisco Unified Communication Manager backup
Python
3
star
26

inetcom-parser

Get array of TV channels with or without SID for inetcom.tv
PHP
2
star
27

fakku-dl

Fakku.net manga and doujinshi downloader
Shell
1
star